[drbob01]

Here is the result of my mbr -f

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x89d84c10
NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> 0x8979a330
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x01D1C4581
malicious code @ sector 0x01D1C4584 !
PE file found in sector at 0x01D1C459A !
Use "Recovery Console" command "fixmbr" to clear infection !

[Advertisements]

Does not appear to have worked this time.

Do you still have the three folders:

c:\documents and settings\HelpAssistant.DRBOBSCOMPUTER.001
c:\documents and settings\HelpAssistant.DRBOBSCOMPUTER.000
c:\documents and settings\HelpAssistant.DRBOBSCOMPUTER

?

Or were you able to delete them?

Can we get the DDS log?

Ron

[RKinner]

Does not appear to have worked this time.

Do you still have the three folders:

c:\documents and settings\HelpAssistant.DRBOBSCOMPUTER.001
c:\documents and settings\HelpAssistant.DRBOBSCOMPUTER.000
c:\documents and settings\HelpAssistant.DRBOBSCOMPUTER

?

Or were you able to delete them?

Can we get the DDS log?

Ron

[drbob01]

I only had time to run the mbr -f but not the other. I will complete the remainder of your suggestions tomorrow and let you know when I am done...hope this works! Thanks for your time and awesome help!

[drbob01]

I ran mbr -f and also manually removed the c:\documents and settings\drbobcomputer\helpassistant files which were all still present. Then I ran DDS and can't zip the attach file. I am sending the DDS file here and can copy and send the attach file but don't have winzip working ( I have to purchase it)
So let me know if you want the attach.txt file
Here is the DDS file

DDS (Ver_09-12-01.01) - NTFSx86
Run by Bob Lorenzo at 11:25:02.93 on Tue 02/23/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1471.707 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Softex\OmniPass\Help.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Avanquest\AutoSave\AutoSave.exe
C:\Program Files\SlickRun\sr.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Documents and Settings\Bob Lorenzo\Application Data\Smilebox\SmileboxTray.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
I:\dnld\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Watch for Browser Events: {42a7ce31-cee7-4cce-a060-a44a7e52e062} - c:\progra~1\keyboa~1\kie.dll
BHO: {aa58ed58-01dd-4d91-8333-cf10577473f7} - Google Toolbar Helper
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} -
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [SlickRun] "c:\program files\slickrun\sr.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SmileboxTray] "c:\documents and settings\bob lorenzo\application data\smilebox\SmileboxTray.exe"
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [OmniPass] c:\program files\softex\omnipass\scureapp.exe
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [VTTrayp] VTtrayp.exe
mRun: [VTTimer] VTTimer.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [GhostStartTrayApp] c:\program files\symantec\norton ghost 2003\GhostStartTrayApp.exe
mRun: [eFax 4.4] "c:\program files\efax messenger 4.4\J2GDllCmd.exe" /R
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [AutoSave] "c:\program files\avanquest\autosave\AutoSave.exe" /Autorun
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
dRunOnce: [RealUpgradeHelper] "c:\program files\common files\real\update_ob\upgrdhlp.exe" "RealNetworks|RealPlayer|12.0"
StartupFolder: c:\docume~1\boblor~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
IE: E&xport to Microsoft Excel - g:\progra~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
Trusted Zone: penhurst.org\www
Trusted Zone: turbotax.com
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0C92900E-4D5A-4F04-ACC9-729E1767BBAE} - hxxp://www.ritzpix.com/net/Uploader/LPUploader45.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://portal.choa.org/CitrixSessionInit/ICAWEB/en/ica32/wficat.cab
DPF: {541AEDD4-20E8-4E6F-B12B-0FDD38BB712F} - hxxps://choapacs.choa.org/ami/install/amiviewer.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1266276238296
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://adobe.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://emoryradiology.webex.com/client/T26L/webex/ieatgpc.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://plugin.driveragent.com/files/driveragent.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} - hxxps://www.plaxo.com/activex/plx_upldr-2k-xp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: LMIinit - LMIinit.dll
Notify: OPXPGina - c:\program files\softex\omnipass\opxpgina.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\boblor~1\applic~1\mozilla\firefox\profiles\jmw0x0po.default\
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\bob lorenzo\application data\mozilla\plugins\npatgpc.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: i:\penhurst\temp\vlc\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-1-30 162512]
R1 AutoSave;AutoSave;c:\windows\system32\drivers\AutoSave.sys [2008-3-14 30784]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
R1 GhPciScan;GhostPciScanner;c:\program files\symantec\norton ghost 2003\GhPciScan.sys [2003-12-17 5632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-30 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-30 40384]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-2-28 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-6-27 47640]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-30 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-30 40384]
R3 FLMCKUSB;AuthenTec TruePrint USB Driver (AES3400, AES3500, AES4000);c:\windows\system32\drivers\FLMckUSB.sys [2008-3-14 80724]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 gupdate1c9fca22235d6a8;Google Update Service (gupdate1c9fca22235d6a8);c:\program files\google\update\GoogleUpdate.exe [2009-7-4 133104]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-6-21 42512]
S3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys --> c:\windows\system32\drivers\radpms.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-02-22 11:28:08 77312 ----a-w- c:\windows\system32\mbr.exe
2010-02-21 20:08:49 0 d-sha-r- C:\cmdcons
2010-02-21 20:01:46 98816 ----a-w- c:\windows\sed.exe
2010-02-21 20:01:46 77312 ----a-w- c:\windows\MBR.exe
2010-02-21 20:01:46 261632 ----a-w- c:\windows\PEV.exe
2010-02-21 20:01:46 161792 ----a-w- c:\windows\SWREG.exe
2010-02-19 17:49:13 0 d-----w- c:\docume~1\boblor~1\applic~1\Office Genuine Advantage
2010-02-19 17:44:56 3254 ----a-w- c:\windows\system32\wbem\Outlook_01cab18b3ee8dfe0.mof
2010-02-16 13:19:43 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-02-16 13:19:43 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-02-13 12:29:02 0 d-----w- c:\program files\ThreatExpert Memory Scanner
2010-02-11 00:41:10 68551680 ----a-w- c:\program files\BlackBerry_Desktop_Software_v3.6_SP3a_ML.exe
2010-02-10 23:34:07 0 d-----w- c:\program files\common files\Pumatech Shared
2010-02-10 19:22:32 256 ----a-w- c:\documents and settings\bob lorenzo\pool.bin
2010-02-09 19:58:42 0 d-----w- c:\program files\common files\Sonic Shared
2010-02-09 14:59:24 52736 ------w- c:\windows\system32\SET19C.tmp
2010-02-09 14:58:21 954368 ------w- c:\windows\system32\SET82.tmp
2010-02-05 21:50:44 33792 ----a-w- c:\windows\system32\SET19B.tmp
2010-02-05 21:50:43 52736 ----a-w- c:\windows\system32\SET194.tmp
2010-02-05 21:50:41 43520 ----a-w- c:\windows\system32\SET18D.tmp
2010-02-05 21:49:36 303104 ------w- c:\windows\system32\SET67.tmp
2010-02-05 21:31:13 107448 ----a-w- c:\windows\hpqins05.dat
2010-02-05 12:41:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-02-05 12:41:51 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2010-02-04 23:31:54 0 d-----w- c:\program files\RegSeeker
2010-02-02 21:55:30 0 d-----w- c:\documents and settings\bob lorenzo\AppData
2010-02-02 15:57:05 0 d-----w- c:\program files\Secunia
2010-02-02 15:51:42 0 d-----r- c:\program files\Skype
2010-02-02 15:49:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-02 15:49:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-02 15:49:53 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-01 23:30:15 0 d-----w- c:\program files\iTunes
2010-02-01 04:41:14 0 d-----w- c:\documents and settings\bob lorenzo\dwhelper
2010-01-31 17:23:07 0 d-sh--w- c:\documents and settings\bob lorenzo\IETldCache
2010-01-31 13:35:42 0 d-----w- c:\windows\ie8updates
2010-01-31 13:28:28 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-01-31 13:28:20 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-31 13:28:20 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-01-30 20:55:18 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Alwil Software
2010-01-30 20:44:39 0 d-----w- c:\program files\Advanced Registry Optimizer
2010-01-30 19:27:29 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Citrix
2010-01-30 14:09:20 0 dc-h--w- c:\docume~1\alluse~1.win\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}

==================== Find3M ====================

2010-02-23 12:35:16 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-02-23 12:35:13 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-02-15 03:00:12 108086 ----a-w- c:\windows\hpqins01.dat
2010-02-02 15:59:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet(3)(2).dll
2010-01-05 10:00:29 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00:28 1168384 ----a-w- c:\windows\system32\urlmon(3)(2).dll
2010-01-05 10:00:28 105984 ----a-w- c:\windows\system32\url(3)(2).dll
2010-01-05 10:00:24 268288 ----a-w- c:\windows\system32\iertutil(2)(2).dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 19:52:38 0 ----a-w- c:\program files\pspbrwse.jbf
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-03 14:38:49 737280 ----a-w- c:\windows\iun6002.exe
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-25 20:29:23 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-11-25 20:29:23 348160 ----a-w- c:\windows\system32\msvcr71.dll
2008-03-17 16:15:34 952 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-09-28 21:29:05 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092820080929\index.dat

============= FINISH: 11:26:04.81 ===============

[RKinner]

user & kernel MBR OK may mean the tool worked. Are you still be redirected?

[drbob01]

I am currently at work, but will check when I am home and reply...thanks! Hope this worked!!

[drbob01]

Well, I tried it just now and it seems to be OK...it went to the correct site when I logged in. Hopefully, that will be the end of it! I presume it will not come back when I reboot. Also, I was planning on removing Avast and installing the new Microsoft security essentials software for my anti-virus/malware/etc. protection. Does that sound reasonable to you?
And...thanks sooo much for all your help!

[RKinner]

I hope it doesn't come back too but you ought to reboot anyway to make sure. You were just lucky I had just finished with the same infection on another PC. It's very new and I spent a week trying different things until noadfear offered up his experimental tool. Yours was actually only the second one I've run it on and probably only the third that we've done here at G2G.



I use Avast on my home PC. (Along with Comodo's free firewall, winpatrol 2010, and autorun eater.) Not sure Microsoft really understands security but it's up to you.

You do not have the latest Java. Get the latest at:

http://www.java.com/...nload/index.jsp


Once you install it (6 Update 18 I think it should be), go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
I see:
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7

Older versions of Java can be used to infect your PC plus each one wastes about 100 M of space.


Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Reader or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

I recommend you install the free WinPatrol 2010 from http://www.winpatrol.com/download.html

It's a small program that will sit in your systray and warn you if something tries to make changes to your system.

Ron

[drbob01]

Ok! I have done all that and will now try reboot. Then, if all is still ok, then I will go to the next problem, which started about the same time as this trojan. I can not get my HP Photosmart C7280 to install properly and can't get the scanner to work. I will look somewhere else on this awesome site and see if someone can help me with that issue! You guys are great! I will put this site on our neighborhood website as a resource for those who struggle with computer issues! Many thanks!

[RKinner]

Just got a message from noadfear who wrote the tool that killed your bug. He tells me that he has been working with the Microsoft guys and Microsoft Security Essentials is coming along nicely so feel free to use it.

Ron

[drbob01]

Thanks! Will do!

[RKinner]

Just wanted to make sure your PC survived the reboot. The first PC we ran the tool on has had a major problem after a reboot with an inability to logon. May not have been related to the tool but we have no way of knowing so thought I would ask how yours is doing.

Ron

[drbob01]

Thanks! I rebooted and everything was fine...so far. I am not having the phishing site appear when I log onto my bank. Keeping my fingers crossed. Thanks for your help. Now, I hope someone at GtG can help me get my printer/scanner working again.
Take care!